Partial-Collision Attack on the Round- Reduced Compression Function - PowerPoint PPT Presentation

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1

Outline • Brief description of Skein-256 • Previous results related to near(partial)-collision on Skein • Our attacks 2

Skein • One of the 5 finalists of SHA-3 competition • Designers – Niels Ferguson , Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare,Tadayoshi Kohno, Jon Callas, Jesse Walker • Unique Block Iteration (UBI) based the block cipher Threefish • The block size ： 256/512/1024 bits – Skein-512 is primary proposal – Skein-256 is a low-memory variant – Skein-1024 is a ultra-conservative variant 3

Skein • Compression function H i+ 1 = E(H i , T , M i ) ⊕ M i , – E( ): block cipher threefish – M i : The plaintext, block size 256/512/1024 bits – H i : The key, same size with M i – T=(t 0 , t 1 ): the tweak of 128 bits 4

Threefish-256 (72 Rounds) Plaintext M The MIX function Subkey0 x 0 x 1 MIX MIX Permute MIX MIX R , <<< d j Permute MIX MIX Permute y 0 y 1 MIX MIX Permute = + 64 y ( x )mod 2 x 0 0 1 Subkey1 = <<< ⊕ y ( x ( R ) y （ 1 1 d mod8), j 0 Four of the 72 rounds of the Threesh-256 block cipher. 5

Key Schedule • The key schedule starts with the 256-bit master key K = ( k 0 ,k 1 , k 2 ,k 3 ) and the 128-bit tweak value T = ( t 0 ,t 1 ) . • First compute two additional words k 4 and t 2 : k 4 = C 240 ⊕ k 0 ⊕ k 1 ⊕ k 2 ⊕ k 3 and t 2 =t 0 ⊕ t 1 • Then the subkeys K s = ( K s,a , K s,b , K s,c , K s,d ) are derived by: for s= 0 to 18 K s,a = k ( s+ 0) mod 5 K s,b = k ( s+ 1) mod 5 + t s mod 3 K s,c = k ( s+ 2) mod 5 + t ( s+ 1) mod 3 K s,d = k ( s+ 3) mod 5 + s 6

Near-collision and Partial- collision • Near-collision resistance : It should be hard to find any two inputs m, m ∗ with m ≠m ∗ such that H(m) and H(m ∗ ) differ in only a small number of bits. [Handbook] • w -bit near-collision: a pair message m and m* collides ⊕ = ≤ * such that H M ( ) H M ( ) w , w n   w n ∑ 2 n /2 – Generic attack: time complexity , memory n 2   2   i = i 0 • w -bit partial-collision: a pair message m and m* collides in the fixed w bits 2 w 2 – Generic attack: 7

Comparison of attacks related to (near)- collision on Skein-256 Target Round Time Type Authors 2 24 Skein-512 17(0-17) 434-bit free-start near-collision [SWWD10] 2 97 Skein-256 20(0-20) 130-bit free-start near-collision 2 52 Skein-512 20(20-40) 266-bit free-start near-collision 2 253.7 Skein-512 22 Free-start collision [LIS12] 2 255.7 Skein-512 37 Free-start collision 2 42 Skein-256 24(4-28) 254-bit near-collision 2 44 Skein-256 28(0-28) 222-bit near-collision This paper 2 42 Skein-256 28(4-32) 228-bit near-collision 2 85 Skein-256 32(0-32) 206-bit partial-collision 8

The Basic Idea of Our Attack  Long differential path  Low Hamming Weight 9

The Subkey Difference 10

16 rounds 8 rounds 8 rounds Fig. Near(partial)-collision path 11

Strategy to Connect two Short Parths • Select the round 20 as the connection point – the subkey is involved • Connect a 20 and c 20 – adjust the difference from h 21 to h 24 , • Connect b 20 and d 20 – adjust the difference from h 16 to h 19 • Using two kinds of difference modes – XOR differential – ‘+’ the integer modular subtraction difference 12

a 16 b 16 c 16 d 16 a 17 b 17 c 17 d 17 a 18 b 18 c 18 d 18 a 19 b 19 c 19 d 19 a 20 b 20 c 20 d 20 a 20 b 20 c 20 d 20 a 21 b 21 c 21 d 21 a 22 b 22 c 22 d 22 a 23 b 23 c 23 d 23 a 24 b 24 c 24 d 24 13

32 round Skein-256 Differential path 14

The Conditions Distribution Groups Conditions Modified Used message/IV Conditions 1 216 174 a 20 ,b 20 ,c 20 ,d 20 2 168 150 K 5,a , K 5,b , K 5,c , K 5,d 3 104 15 K 4,b , K 4,d Group-1: conditions in round 16 to 20 Group-2: conditions in round 20 to 24, and c16 Group-3: other conditions 15

Partial(near)-Collision Attack Phase 1: • Search 256-bit h 20 =(a 20 ,b 20 ,c 20 ,d 20 ) to fulfil rounds 16-20 – Message modification technique – Time complexity: 2 42 Phase 2: • Search 256-bit K 5 =(K 5,a , K 5,b , K 5,c , K 5,d ) to fulfil rounds 20 to 24 and conditions in c 16 – Message modification technique – Time complexity: 2 18 16

Partial(near)-Collision Attack Phase 3: • Search 128-bit K 4,b , K 4,d to fulfil other rounds (0-16, 24-32) – Message modification technique – Time complexity: 2 85 The complexity of our attack • 32 rounds(0-32): 2 42 +2 18 +2 85 ≈ 2 85 • 24 rounds(4-28): 2 42 +2 26 ≈ 2 42 • 28 rounds(0-28): 2 42 +2 18 +2 44 ≈ 2 44 • 28 rounds(4-32): 2 42 +2 18 +2 41 ≈ 2 42 17

Degrees of Freedom Analysis • The total degrees of freedom – come from the messge M, the master Key K and the tweak T: 256+256+128=640 – Number of conditions: 488 • The degrees of freedom in rounds 16-20 (Phase 1) – Come from h 20 : 256 – Number of conditions: 216 • The degrees of freedom in rounds 20-24 (Phase 2) – Come from K 5 : 256 – Number of conditions: 168 • The degrees of freedom in other rounds (Phase 3) – Come from K 5 : 128 – Number of conditions: 104 18

Examples 19

20

21

Thanks you for your attention! 22